Jul 19 2022 03:51 AM
Hi,
Recently, I've observed that defender incidents are automatically changing the status from Resolved to Active. When I checked the comments on the incident, I can clearly see that automation is changing the status of the incident from Resolved to Active. Is anyone experiencing the same issue or has any idea why is it happening? Thanks in advance!
FYI, please see below how the incident status is changed in the comments section of the incident,
Automation
Jul 22 2022 11:56 AM
Aug 04 2022 01:04 AM
@HeikeRitterI'm also experiencing this issue recently.
The alerts are sent into Sentinel via the Defender 365 connector and are closed on the Sentinel side, which i can then see is reopened several minutes later by automation in the Defender portal itself.
I've attached a screenshot below, they all pretty much follow the same problem.
Any ways of getting around this?
Aug 04 2022 04:38 AM
Aug 05 2022 12:30 AM
Aug 05 2022 12:33 AM
Aug 05 2022 01:11 AM
Aug 05 2022 01:15 AM
@Gerson Levitz my tickets are flipping back into in progress.
@HeikeRitter or @Gerson Levitz do I need to open a different ticket here or is this issue being dealt with jointly?
Aug 05 2022 01:29 AM
Aug 05 2022 01:54 AM